1 files changed, 39 insertions, 4 deletions
diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c
index 83554ee8a587..0cc99a3ea42d 100644
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -279,12 +279,46 @@ static int yama_ptrace_access_check(struct task_struct *child,
        }
        if (rc) {
-                char name[sizeof(current->comm)];
                printk_ratelimited(KERN_NOTICE
                        "ptrace of pid %d was attempted by: %s (pid %d)\n",
-                        child->pid,
+                        child->pid, current->comm, current->pid);
-                        get_task_comm(name, current),
+        }
-                        current->pid);
+        return rc;
+}
+/**
+ * yama_ptrace_traceme - validate PTRACE_TRACEME calls
+ * @parent: task that will become the ptracer of the current task
+ *
+ * Returns 0 if following the ptrace is allowed, -ve on error.
+ */
+static int yama_ptrace_traceme(struct task_struct *parent)
+{
+        int rc;
+        /* If standard caps disallows it, so does Yama.  We should
+         * only tighten restrictions further.
+         */
+        rc = cap_ptrace_traceme(parent);
+        if (rc)
+                return rc;
+        /* Only disallow PTRACE_TRACEME on more aggressive settings. */
+        switch (ptrace_scope) {
+        case YAMA_SCOPE_CAPABILITY:
+                if (!ns_capable(task_user_ns(parent), CAP_SYS_PTRACE))
+                        rc = -EPERM;
+                break;
+        case YAMA_SCOPE_NO_ATTACH:
+                rc = -EPERM;
+                break;
+        }
+        if (rc) {
+                printk_ratelimited(KERN_NOTICE
+                        "ptraceme of pid %d was attempted by: %s (pid %d)\n",
+                        current->pid, parent->comm, parent->pid);
        }
        return rc;
@@ -294,6 +328,7 @@ static struct security_operations yama_ops = {
        .name =                 "yama",
        .ptrace_access_check =  yama_ptrace_access_check,
+        .ptrace_traceme =       yama_ptrace_traceme,
        .task_prctl =           yama_task_prctl,
        .task_free =            yama_task_free,
 };

diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c index 83554ee8a587..0cc99a3ea42d 100644 --- a/security/yama/yama_lsm.c +++ b/security/yama/yama_lsm.c
@@ -279,12 +279,46 @@ static int yama_ptrace_access_check(struct task_struct *child,
279	}	279	}
280		280
281	if (rc) {	281	if (rc) {
282	char name[sizeof(current->comm)];
283	printk_ratelimited(KERN_NOTICE	282	printk_ratelimited(KERN_NOTICE
284	"ptrace of pid %d was attempted by: %s (pid %d)\n",	283	"ptrace of pid %d was attempted by: %s (pid %d)\n",
285	child->pid,	284	child->pid, current->comm, current->pid);
286	get_task_comm(name, current),	285	}
287	current->pid);	286
		287	return rc;
		288	}
		289
		290	/**
		291	* yama_ptrace_traceme - validate PTRACE_TRACEME calls
		292	* @parent: task that will become the ptracer of the current task
		293	*
		294	* Returns 0 if following the ptrace is allowed, -ve on error.
		295	*/
		296	static int yama_ptrace_traceme(struct task_struct *parent)
		297	{
		298	int rc;
		299
		300	/* If standard caps disallows it, so does Yama. We should
		301	* only tighten restrictions further.
		302	*/
		303	rc = cap_ptrace_traceme(parent);
		304	if (rc)
		305	return rc;
		306
		307	/* Only disallow PTRACE_TRACEME on more aggressive settings. */
		308	switch (ptrace_scope) {
		309	case YAMA_SCOPE_CAPABILITY:
		310	if (!ns_capable(task_user_ns(parent), CAP_SYS_PTRACE))
		311	rc = -EPERM;
		312	break;
		313	case YAMA_SCOPE_NO_ATTACH:
		314	rc = -EPERM;
		315	break;
		316	}
		317
		318	if (rc) {
		319	printk_ratelimited(KERN_NOTICE
		320	"ptraceme of pid %d was attempted by: %s (pid %d)\n",
		321	current->pid, parent->comm, parent->pid);
288	}	322	}
289		323
290	return rc;	324	return rc;
@@ -294,6 +328,7 @@ static struct security_operations yama_ops = {
294	.name = "yama",	328	.name = "yama",
295		329
296	.ptrace_access_check = yama_ptrace_access_check,	330	.ptrace_access_check = yama_ptrace_access_check,
		331	.ptrace_traceme = yama_ptrace_traceme,
297	.task_prctl = yama_task_prctl,	332	.task_prctl = yama_task_prctl,
298	.task_free = yama_task_free,	333	.task_free = yama_task_free,
299	};	334	};